So what's the purpose of this post you may ask? Well we needed a quick way to enumerate what aspects of the system were accessible from low integrity processes on Microsoft Windows to aid with the SDL verification phase. So we wrote a small utility to do exactly that. It enumerates different objects and looks for the mandatory label and low integrity. Currently the tool enumerates the following aspects:

File system

Registry

Objects

Named pipes

The way we implemented it was as follows. First enumerate the objects (via their respective mechanisms) and then secondly call on each, the following the functions:

If you're interested in using the utility it can be downloaded in binary form from here. The tool has been statically compiled with the CRT so you wont need to have the correct re-distributable installed for it to work.

Before posting we checked with Tom Keetch to see if we was aware of any other tools that would do something similar as we didn't want to waste peoples time. Tom pointed out that AccessChk from Windows Sysinternals can be used to do something similar with the -w -e command line options but won't specifically filter out just the low integrity covered objects (accepted that you could do some grep-foo to post process the output).

Tom also mentioned that the Attack Surface Analyzer from Microsoft may also flag low integrity accessible objects. The downside of Attack Surface Analyzer is it needs to be run before and after product installation so may be a little too cumbersome in some situations and specifically if you've been given an installed box to assess.

Anyway we hope you find the tool useful and if you have any feedback, bugs or omissions please do get in touch.